A security vulnerability in Git
has been announced:
a bug in URL parsing can cause git clone to execute arbitrary commands.
These URLs look quite suspicious, so it's unlikely that you'd be convinced
through social engineering to clone them yourself. But they can be hidden
in repository submodules.

Unless you're a Continuous Integration build agent, I hope that it's quite
uncommon that you git clone --recursive a repository that you do not trust.
So this vulnerability is rather uncommon, but as with any security
vulnerability that has the possibility of remote code execution, you should
upgrade your Git clients immediately.

Git version 2.14.1 is the latest and greatest version of Git, and has
been patched. But most people don't actually build from source, so your
version of Git is probably provided to you by a distribution. You may have
different versions available to you - ones that have had the patches applied
by your vendor - so you may not be able to determine if you're vulnerable
simply by looking at the version number.

Here's some simple steps to determine whether you're vulnerable and
some upgrade instructions if you are.

Are you vulnerable?

You can easily (and safely) check to see if your version of Git is
vulnerable to this recent security vulnerable. Run this from a command
prompt:

git clone -q ssh://-q/ /tmp/gittest

Note: this will not actually clone any repositories to your system,
and it will not execute any dangerous commands.

If you see:

fatal: strange hostname '-q' blocked

Congratulations - you are already running a version of Git that is not
vulnerable.

If, instead, you see:

fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.

Then your version of Git is vulnerable and you should upgrade immediately.

Windows

macOS

Apple ships Git with Xcode but unfortunately, they do not update it
regularly, even for security vulnerabilities. As a result, you'll
need to upgrade to the version that is included by a 3rd party.
Homebrew is the preferred package manager for macOS.

If you have not yet installed Homebrew, you can install it by running:

Linux (Debian, Ubuntu)

If you're using the current version of Ubuntu or Debian, then they'll have
the latest version ready. If you're on a stable system, like a server,
you should be running an LTS
release - a "long term support" version - where they backport
security patches like this one. So you should simply need to:

Get the latest information about the available software versions from
the remote repository:

Debian, Ubuntu:

sudo apt-get update

Red Hat, CentOS:

sudo yum update

Install the latest version of git:

Debian, Ubuntu:

sudo apt-get install git

Red Hat, CentOS:

sudo yum update git

Ensuring that you're patched

Now if you run:

git clone -q ssh://-q/ /tmp/gittest

at a command prompt, then you should see:

fatal: strange hostname '-q' blocked

And now you're patched against the git security vulnerability,
CVE 2017-1000117.